5 Step Plan: How to Prepare for an ISO 27001 Certification Audit

An ISO 27001 certification audit can be intimidating, especially for those new to the world of management standards. The right preparation can not only install confidence, but also increase your chances of a smooth process and a successful outcome.

ISO 27001 is manageable and not out of reach for anyone!
It’s a process made up of things you already know – and things you may already be doing.

What is the ISO 27001 Certification Audit?

In Stage 1, often called the tabletop audit or documentation review, the auditor verifies whether your documentation complies with the standard.

In Stage 2, the so-called compliance audit, the auditor verifies that your information security management system (ISMS) operates effectively, as documented and in compliance with ISO 27001.

5 Critical Steps for Passing Your Certification Audit

Preparing for your audit is largely about making sure you have the right information available for the auditor, and that you communicate with him or her effectively. Here are the 5 critical steps to success:

1) Review the Audit Plan.

Review the audit plan in detail and discuss it with the auditor in advance. If areas are missing or inaccurate, this is your best remaining opportunity to get things right without last-minute struggle and scrambling. This also gives you an opportunity to establish a rapport and do some “relationship building” with the auditor.

2) Prepare Your Documentation in Advance.

Review the Information Request List and provide the requested documentation to the auditor before the Stage 1 audit (the auditor will request this). A little upfront legwork can eliminate a lot of the stress commonly associated with audits.

3) Clarify Outstanding Items and Issues at Predetermined Check-Ins.

Establish a check-in schedule and ask your auditor what’s outstanding and what findings have been noted. (For example, Stage 1 audits often take 2-3 days, so daily check-ins would be recommended.) If you need clarification or details, ask for it. This can be your best chance to “pick the auditor’s brain” before he or she delivers the report.

4) Prepare for Your Interviews.

Preparing to speak with the auditor is an often-overlooked step, but it does not need to take much time. You may only need to send out an email prior to the interviews to remind key employees to organize their facts in advance, provide thoughtful and concise answers and (this is important) stick to the topic under discussion without veering off onto tangents. Provide real life examples on what kinds of evidence the auditor will request. Finally, ask employees to bring their laptops and be prepared to provide the requested evidence quickly and efficiently.

5) Debrief Your Staff Post Audit.

At the close of your Stage 1 and Stage 2 audits, hold a debriefing with the people involved. What went right? What went wrong? What insights were noted? How can you do better next time? You should also maintain notes on what documents were provided. Time spent now will save you time later by streamlining future audits.

ISO 27001 Experts Can Help

If you’re working toward ISO 27001 certification with the help of third-party experts like Pivot Point Security*, they will most likely arrange a quick review of your documented ISMS prior to the formal certification audit. This helps ensure that your formal audit won’t be a waste of time and money by identifying potential problems so they can be rectified in advance. This “informal audit” process is also a great reason and a great support for getting your documentation, people and ISMS prepared for the actual audit.

To find out more about ISO 27001 certification, tap into some useful resources, and understand how a trusted partner can make the ISO 27001 audit process as painless, beneficial and cost-efficient as possible, contact Pivot Point Security.